Outline of Craig Ball's Electronic Discovery Workbook - Email
Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about on June 9, 2017.
X. Mastering Email in Discovery
Will clients attempt to conceal damaging emails?
Will employees delete emails from a company’s systems?
Will searches target the correct digital venues?
Will review inadvertently disclose privileged communications or confidential data?
The average person sends and receives 123 emails each day.
E-mail lodges on servers, cell phones, laptops, home systems, thumb drives and in the cloud.
Most IT professionals don’t know where it’s stored or for how long.
Checklist About Client Email Systems
MS Exchange; Domino; or Office 365?
All discoverable emails go through company’s server?
Local email stores synch with system?
How long email clients and server applications in use?
What are the message purge, retention, journaling and archival settings for each key custodian?
Can a custodian be prevented from deleting emails?
Does backup system capture email stored on custodian’s desktops?
Where are email container files stored?
Collection and preservation methods?
Home PCs used for business purposes?
Instant messaging used for business?
Are employee owned devices allowed to access the network?
Enterprise search – search of remote email stores from central location.
Email archiving - Enterprise collections collected into single repository.
Reduce through single instance de-duplication; rules based journaling.
Email Systems and Files
Behind the firewall environment dominated by:
MS Exchange Server
IBM Lotus Domino
Novell GroupWise (popular with government)
MS Office 365
API – application protocol facilitates communication
POP3 (Post Office Protocol, version 3)
Now rarely used.
IMAP (Internal Mail Access Protocol)
Email client only download all headers. Downloads body only when messaged is opened.
Server stored email with support for local storage.
MAPI (Message Application Programming Interface)
Pre-installed on Windows for basic messaging.
Possible but not common to prevent storage of .pst or .ost files on local machines.
HTTP (Hyper Text Transfer Protocol) –
E.g. Gmail and Hotmail
No local rcord.
Outgoing Email: SMTP and MTA
Simple Message Transfer Protocol – outgoing email.
Message Transfer Agent – uses SMTP to route email over a network to its destination.
Anatomy of an Email
Email is a plain text file.
Attachments are binary data encoded into text. May use Base64 encoding.
Email Header - only the data in section A is visible to the user.
"Received" or X-Received” represents the transfer of the message between two e-mail servers.
Content-Type declaration distinguishes between header and body of message.
Hashing and Deduplication
messages contain unique identifiers, time stamps and routing data that would frustrate efforts to compare one complete message to another using hash values.
Hashing emails omits the header parts with the message identifier and transit data.
Local Email Storage
Email may not only be found on the server but also in:
Temporary Internet Files
Short Message Service exchanges in smartphone synch files.
Offline synch files (.ost files) on laptops.
OLK system subfolders holding viewed attachments.
Nearline email – backups of user email folders
Email residing on non-party servers
Legacy email stores
Email saved to other formats
Email retained by vendors
Offline on backup tapes and other media
Email in forensically accessible areas.
Looking for Email
finding e-mail stores will hinge on your knowledge of the User’s Account Name or Globally Unique Identifier (GUID) string assigned by the operating system.
.ost files - access to messages when the user has no active network connection.
Every other week (by default), Outlook seeks to auto archive any Outlook items older than six months (or for Deleted and Sent items older than two months).
Outlook viewed attachment folder will have a varying name for every user and on every machine, but it will always begin with the letters “OLK” followed by several randomly generated numbers and uppercase letters.
The latest versions of Exchange Server and the cloud tool, Office 365, feature robust e-discovery capabilities simplifying initiation and managements of legal holds and account exports.
Older versions of Exchange Server stored data in a Storage Group containing a Mailbox Store and a Public Folder Store, each composed of two files: an .edb file and a .stm file. .stm files contain SMTP messages.
Since 2003 MS Exchange can collection email without interrupting its operation.
ExMerge can filtering emails for export.
After an email is deleted by a user, it’s retained for 30 days by default or until Exchange is backed up.
Journaling is the practice of copying all e-mail to and from all users or particular users to one or more repositories inaccessible to most users.
Not purpose built for email messaging and calendaring. It’s a toolkit for building capabilities.
.NSF archive files are constantly duplicated across the network.
Must collect the .id file or may be locked out of encrypted content.
Deletions of an email are replicated system wide.
Web based email
Gmail can be exported in a MBOX format.